Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cisco Patches 'ExtraBacon' Zero-day Exploit Leaked By NSA Hackers (dailydot.com)

Posted by BeauHD on from the zero-day dept.

Patrick O'Neill quotes a report from The Daily Dot: After a group of hackers stole and published a set of NSA cyberweapons earlier this week, the multibillion dollar tech firm Cisco is now updating its software to counter two potent leaked exploits that attack and take over crucial security software used to protect corporate and government networks. "Cisco immediately conducted a thorough investigation of the files released, and has identified two vulnerabilities affecting Cisco ASA devices that require customer attention," the company said in a statement. "On Aug. 17, 2016, we issued two Security Advisories, which deliver free software updates and workarounds where possible." The report adds: "An unknown group of hackers dubbed the Shadow Brokers posted cyberweapons stolen from the so-called Equation Group, the National Security Agency-linked outfit known as 'the most advanced' group of cyberwarriors in the internet's history. One of the cyberweapons posted was an exploit called ExtraBacon that can be used to attack Cisco Adaptive Security Appliance (ASA) software designed to protect corporate networks and data centers. 'ExtraBacon targets a particular firewall, Cisco ASA, running a particular version (8.x, up to 8.4), and you must have SNMP read access to it,' Khalil Sehnaoui, a Middle East-based cybersecurity specialist and founder of Krypton Security, told the Daily Dot. 'If run successfully, the exploit will enable the attacker to access the firewall without a valid username or password.' ExtraBacon was a zero-day exploit, Cisco confirmed. That means it was unknown to Cisco or its customers, leaving them open to attack by anyone who possessed the right tools."

100 comments

  1. Oh, really? by Anonymous Coward · · Score: 3, Interesting

    ExtraBacon was a zero-day exploit, Cisco confirmed. That means it was unknown to Cisco or its customers, leaving them open to attack by anyone who possessed the right tools.

    Yeah, sure, because Cisco has never co-operated with any of the TLAs in the past.

    1. Re:Oh, really? by Anonymous Coward · · Score: 1

      ExtraBacon was a zero-day exploit, Cisco confirmed. That means it was unknown to Cisco or its customers, leaving them open to attack by anyone who possessed the right tools.

      Should add that in addition to the NSA it was also probably known by the PLA, FSB, Israel, UK and random criminal hacker gangs. Thanks NSA, thanks for keeping that intelligence flowing.... in both directions.

    2. Re:Oh, really? by Anonymous Coward · · Score: 0

      ExtraBacon was a zero-day exploit, Cisco confirmed. That means it was unknown to Cisco or its customers, leaving them open to attack by anyone who possessed the right tools.

      Yeah, sure, because Cisco has never co-operated with any of the TLAs in the past.

      Agreed.

      The fact the problem even existed shows how well Cisco does not test their products.

      A few years ago when I was working for a company that is a BIG customer of Cisco (aka "CRISCO") the Cisco support team failed to tell me about various critical issues in their products. One night during network maintenance work all of the "backbone" routers (really big boxes still sold today, same model, same code, but totally different than the other Cisco routers we used) in the entire network started to "lock up" their "route processors" and constantly flush route tables. It took Cisco around 6 to 8 hours (2 to 4 hours longer that what I needed to figure out the problem and suggest a "fix" to my management) to admit to the source of the problem and tell my management how they would fix it. Upon in-depth "after the outage" questioning of Cisco support staff it was determined that Cisco support WILLFULLY decided not to tell us of these "hidden issues" during "bug scrub" because Cisco support did not think any customer would ever encounter these "hidden issues" in the model of router we used in our "backbone". Needless to say, my management WAS NOT AMUSED AT ALL and "dealt with Cisco accordingly" and "rumor has it" Cisco later provided fixed code image(s? ... I forgot the exact details) that corrected these "hidden issues".

      So it seems like the only way to get Cisco to fix ANY problem with their products is to shame Cisco in public.

    3. Re:Oh, really? by peawormsworth · · Score: 1

      NSA seems to be so blinded by their goal of finding and exploiting weaknesses, that they completely forget or ignore the idea of protecting the citizens of their own nation. I see little difference between NSA and hackers. Both work hard to endanger me and my neighbours.

      imo, NSA is a danger to our national security. At this point, I would vote to throw out the baby with the bathwater.

  2. I dont know about all that by Anonymous Coward · · Score: 5, Funny

    But I support anything related to bacon

    1. Re:I dont know about all that by Anonymous Coward · · Score: 0

      Good thing you are anonymous. Unamerican Coward. ;)

    2. Re:I dont know about all that by Anonymous Coward · · Score: 0

      Unamerican

      Why are you giving him a compliment?

    3. Re:I dont know about all that by Anonymous Coward · · Score: 0

      A non-American can justifiably be unAmerican. Otherwise they would likely be un[insert-country-of-origin].

    4. Re:I dont know about all that by Anonymous Coward · · Score: 0

      But I support anything related to bacon

      Give funny code names so that if ever divulged will be met with snickers and laughs... check.

      The genocidal weapons are probably all prefixed with "Fuzzy Bunny... " code names.

    5. Re: I dont know about all that by Anonymous Coward · · Score: 0

      Your logic is flawed.

  3. Hackers stole a set of NSA cyberweapons by khz6955 · · Score: 1, Interesting

    Does anyone here really believe this cyber bullshit?

    1. Re:Hackers stole a set of NSA cyberweapons by Anonymous Coward · · Score: 5, Insightful

      Yes I do believe it. Snowden was no super spy. He was a mid level IT grunt and he took everything including their lunch money. That means that spies with real training and skills, like the FSB, are walking out with arm loads of top secret stuff every day.

    2. Re:Hackers stole a set of NSA cyberweapons by TigerPlish · · Score: 5, Insightful

      Does anyone here really believe this cyber bullshit?

      Yes, yes I do.

      Rationale being: "Government is inept at best and criminal at worst. A happy medium is they being criminally inept. NSA is a Government agency, ergo all the batshit insane ineptness that infects the Government also infects the NSA"

      So yes, I believe the NSA got owned, and now begins the rearranging of deckchairs. A few people will be fired or otherwise disposed of, new techniques and tools will be developed, and life will be back to its nefarious normality again.

      But for now, grab your bacon, popcorn and intoxicant of choice, sit back and watch! This may be the best damn show of our age!

      (or it may be a brilliant piece of mis-direction, which would not make it any less real, just thornier and harder to decipher)

      --
      The "Civilized World" jumped the shark ca. 1973.
    3. Re:Hackers stole a set of NSA cyberweapons by Anonymous Coward · · Score: 0

      Does anyone here really believe this cyber bullshit?
      Why not? We have, so far, two different 0-day exploits. We also have well documented, in english hacking tools, most of which AFAIK aren't known tools. Who but the NSA or possibly GCHQ would produce this?

      I'd say it's very likely these are tools from the NSA. I think it's unlikely they directly hacked the NSA, but found some tools left lying around after they hacked some other site.

    4. Re:Hackers stole a set of NSA cyberweapons by Anonymous Coward · · Score: 0


      So yes, I believe the NSA got owned. So yes, I believe the NSA got owned, and now begins the rearranging of deckchairs.

      Naw. I bet someone left some burglary tools lying around, and someone else found them. This isn't a massive treasure trove of different tools like you might expect from a breakin by the NSA.

    5. Re:Hackers stole a set of NSA cyberweapons by Anonymous Coward · · Score: 1

      No. Would not surpise me at all if the NSA was the one's that leaked these security tools. They were circa 2013, which in the cyber security /zero day exploit/ world is like 2 decades old. They have moved on to different strategies.

      If the NSA knew that our adversaries already had these discorvered these exploits, what better way to alert the various impacted software/device manufacturers, than a high profile ransom leak. They patch them and the NSA never really admits they exploited them in the first place.

    6. Re:Hackers stole a set of NSA cyberweapons by sjames · · Score: 2

      It's funny how fast this can become this.

    7. Re:Hackers stole a set of NSA cyberweapons by Anonymous Coward · · Score: 0

      you are a special kind of retard or a NSA shill

    8. Re:Hackers stole a set of NSA cyberweapons by calexontheroad66 · · Score: 2

      This thing of the government being inept, have you seen private bureaucracies at work?
      Big corporate bureaucracies are as inept most of the time as state bureaucracies. The moment you have an organization with more than 100 people and company policies or laws start to encroach and accumulate to prevent abuses or set preferred policies then as time goes by you'll see a mismatch between desired outcomes and real outcomes.

      Now, the problem is that at this point incremental improvements in productivity, technology or administration require ever more resources to be accomplished, this means that big bureaucratic tend to be the norm in both private and state organizations.

    9. Re:Hackers stole a set of NSA cyberweapons by cavreader · · Score: 3

      "Who but the NSA or possibly GCHQ would produce this" How about the FSB, Mossad, MSS, ISI, or DSG for starters?

    10. Re:Hackers stole a set of NSA cyberweapons by Karl+Cocknozzle · · Score: 1

      Yeah, that's the other patriotic favor Snowden did for us--he demonstrated our security procedures are shite.

      Consider: If the bureaucrats breaking the law willy nilly weren't even able to competently keep the secrets that (theoretically, of course, in real life we know it's not happening) could have landed them all in the Federal pokey for many years, what chance did they have of keeping national security secrets?

      --
      Who did what now?
    11. Re:Hackers stole a set of NSA cyberweapons by Anonymous Coward · · Score: 0

      yeah. they probably gassed snowden with some colorless/odorless anesthetic in a bathroom stal, airport sleping cubby, or hotel room so they could cloned his devices(did he bring his token or smart card with him?) and picked it apart to find what servers, credentials, vpn it hooked up to, maybe the documents as a whole clued them in to where to focus there attention if not one being a "how to" explicitly. As some say, wiping up after the snowden reveal may be the reason that the time stamps are not newer. You think his face didn't go out to all the snoops in hotels to tip off a VIP staying there. This is at least a more interesting story to follow as it unfolds then the election.

    12. Re:Hackers stole a set of NSA cyberweapons by tnk1 · · Score: 1

      Yes, my problem with big government is the same as my problem with big business organizations. They're effectively equivalent.

      Although I think Big Government is a bit more nefarious because it presents itself as being on the side of the People, and there are whole parties in the USA like the Democratic Party, who buy into how Big Government can solve all problems. The reality is that the advantage of elections over shareholders just redirects the inefficiency, but not even as much as you might think.

      We've already noticed the following, although few really understand it. There is a bigger gulf between politicians in a big government scenario and their constituents than there is between the same politicians and those who head big corporations. Republicans usually take the rap of being buddy buddy with the 1%, but it is just as true for most Democrats as well. Ultimately, that's as much due to them basically doing the same job (ie. trying to run a huge bureaucracy) as it has anything to do with actual corruption.

      If you want to not have your government be in substantial sympathy with big corporations, then you have to have your government not become a big corporation itself. The US government is a multinational, multi-product, conglomerate which operates with as much impunity as any big bank or pharmaceutical company and using nearly the same rules. The only difference is that they have a political layer which works to align voters into manageable blocs.

      I'm no admirer of Bernie Sanders, but you can see how that all played out very well. They had to deal with him, but ultimately most of his less extreme supporters all fell into line in the end. The Democratic party platform inched a few notches to the left to accommodate and co-opt the Bernie supporters and that's basically it. And of course, they're throwing around the whole "don't let Trump or the Republicans name a Supreme Court justice" too, as if that actually matters. Anyone who thinks that Trump would follow in lockstep with a normal Republican Supreme Court justice selection is not really paying attention. Trump isn't even playing ball to get elected. Who really thinks he'd actually kow tow to them if he actually got elected?

      But that's how things work. Our big corporate government operates as you would expect while trying to convince us that it is our best friend against those who are its real friends.

    13. Re:Hackers stole a set of NSA cyberweapons by Anonymous Coward · · Score: 0

      I read that in Keith David's voice, replacing "cyber" with "voodoo"

    14. Re:Hackers stole a set of NSA cyberweapons by amicusNYCL · · Score: 1

      Yes, I believe it. Why would it be so unbelievable, because all of the hardware and software that any organization, including the NSA, runs is so bulletproof? There are bugs in nearly every internet-facing device or application, and sometimes those bugs allow access to people that shouldn't have it.

      The real interesting thing about this is that this leak may cause all or most of the affected vendors to patch the bugs that the NSA has been exploiting.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    15. Re:Hackers stole a set of NSA cyberweapons by mcswell · · Score: 1

      To take this one step further, everyone is inept: you, your friends, the company you work for (even if it's Google), Volkswagen, every other company, NASA (remember Mars Climate Orbiter, Challenger and Columbia), the USG, the Soviet government (obviously!), the Russian government, and every other government. We all have our limitations, and to the extent we have a blind spot for those limits, we are inept.

      Excep me.

    16. Re:Hackers stole a set of NSA cyberweapons by TigerPlish · · Score: 1

      This thing of the government being inept, have you seen private bureaucracies at work?

      After working for a decade and a half in the private sector, yes, I have seen private red tape and wonder just how exactly money is made, given the overall disjointedness of it all.

      PFM, I suppose.

      --
      The "Civilized World" jumped the shark ca. 1973.
  4. NSA Weakening National Security by Anonymous Coward · · Score: 1

    I understand the NSA's desire to utilize zero-day vulnerabilities, but by doing so, they ultimately weaken national security.

    1. Re: NSA Weakening National Security by Anonymous Coward · · Score: 1

      This is why the government should absolutely never get backdoors into smartphones, or any other device. Every backdoor they force a company to put in is just one more secret that will get stolen and one more vulnerability that will get exploited by bad people.

  5. Q4 earnings, layoffs by Anonymous Coward · · Score: 2, Interesting

    Lovely timing with their earnings report. Hope they don't need those 14K/20% of workforce employees now...

    Seriously: Fuck Cisco. I hope their stock value plummets. I'm tired of this fucking fuckery.

    I will take my damn extra bacon though, cause bacon.

  6. Many on Slashdot can say, "I told you so" by TomR+teh+Pirate · · Score: 5, Insightful

    In past posts on Slashdot, the idea that the government should have backdoors into various systems that would allegedly be used only for legitimate criminal investigations. The security experts poo-pooed the idea, saying that all manner of things would go wrong, and this appears to be the day of reckoning. The government of course claims that this would never be a problem.

    Security researchers 1, NSA 0

    Is anybody here really surprised?

    1. Re:Many on Slashdot can say, "I told you so" by AHuxley · · Score: 1

      It all worked so well for the US and UK from the 1920's until the 1990's. Tame telco networks happy to share all the data, the ability to tap into global communications was easy given total access to all phone connections. Collect it all was cheap and the budgets just flowed in every year for new partnerships with the private sectors.
      Junk consumer crypto, a lack of hardware and software saw the global product flow to waiting the US intelligence customers.
      In the past decade or so the skill set of any budget challenged nation or group of smart people with fast internet has changed.
      Projects to map the internet in real time was within reach of very smart teams. Given the phone home nature of many of the US collection methods, something got noticed.
      The expected cover of bots, ads, a service password, malware, bespoke methods, strange ip ranges did not hold. Or more walk out problems...
      The question for the US is now who has the skill set to track their once secure data collection fronts in the wild, for how long has that ability existed and what junk disinformation has been pushed up to waiting US intelligence customers. For how long has well crafted disinformation over some time been acted on by the US without been noticed...
      Can the wider US intelligence community fully trust raw data gathered by the NSA? Could massive budgets sway back to the CIA, FBI for a more secure approach or a massive expansion of other global signals collection efforts be considered? A shift in decades of post Vietnam political patronage..
      Will all past product have to be reevaluated? Will other US agencies suggest they can do better and request their own new collection budgets?
      New talent and a massive duplication of needed support will be an epic win for contractors all over the USA :)

      --
      Domestic spying is now "Benign Information Gathering"
    2. Re:Many on Slashdot can say, "I told you so" by WolfgangVL · · Score: 2

      Can the wider US intelligence community fully trust raw data gathered by the NSA? Could massive budgets sway back to the CIA, FBI for a more secure approach or a massive expansion of other global signals collection efforts be considered? A shift in decades of post Vietnam political patronage..

      Will all past product have to be reevaluated? Will other US agencies suggest they can do better and request their own new collection budgets?

      Find out next week, in another exciting episode of "Real Government Shinagigans"

      --
      You are being ripped off every second of every day, so that advertisers can help rip you off even more tomorrow.
    3. Re:Many on Slashdot can say, "I told you so" by BlackSabbath · · Score: 1

      "...For how long has well crafted disinformation over some time been acted on by the US without been noticed..."

      Since the first Iraq war? Earlier?

    4. Re:Many on Slashdot can say, "I told you so" by houghi · · Score: 1

      And you think they now go "Darn, you are right. It was a silly idea."? No, they will just be louder. Why? because they are interested in backdoors, not in security. If that breaks security is not relevant to them. It would even make it easier for them.

      If you say 1:0 as a score, they should be playing the same game and they don't. Just like people calling their game Football, it is two different games.

      --
      Don't fight for your country, if your country does not fight for you.
    5. Re:Many on Slashdot can say, "I told you so" by cwsumner · · Score: 1

      "...For how long has well crafted disinformation over some time been acted on by the US without been noticed..."

      Since the first Iraq war? Earlier?

      I believe George Washington was the first to include "spycraft" into the U.S. government. 8-)

      Of course, we had a different government before that...

  7. NSA is complicit in damaging US Companies by Anonymous Coward · · Score: 1

    Odds are, they bought zero-days on the dark net, and that those same exploits were sold to other parties.

    Even if this is not the case, the conclusion applies.

    Conclusion: The NSA actively sought zero-day exploits and no doubt used then without notifying the vendors involved, including US companies (this is important).

    So the NSA performed illegal exploits against US companies. It's difficult to argue otherwise. These companies have been hurt financially (Snowden releases), so the NSA has effectively attacked US companies from a financial perspective as well.

    The release of the tools proves this, as well as exposing the charade that is the NSA's core activities and any claim of altruism.

    NSA should equal = No Such Administration

    They are 100% against the core values of the American system, they betray America.

    1. Re:NSA is complicit in damaging US Companies by AHuxley · · Score: 1

      AC Re you "Other than that nothing Snowden released resulted in any changes being made by the NSA operations."
      NSA aims to plug holes that sprang Snowden leaks (9/19/2013)
      http://arstechnica.com/securit...
      The new costs are in new teams of two contractors walking around with each other at any NSA site globally.
      Twice the cost or half the projects with the same budgets....
      The other change was to "remove anonymity from the network". Thats two huge and very expensive changes needing a vast number of new cleared staff.
      The mind set of the staff has also changed, they are now been logged.
      Think of the performance based reports logging can generate. Are they taking too many breaks, not working long hours? Not sharing time and insights internally or with other 5 nations at an average rate as their co workers are...
      New logging systems have to be created, data collected, secured and tracked. Thats more contractors and rented software solutions.

      --
      Domestic spying is now "Benign Information Gathering"
    2. Re: NSA is complicit in damaging US Companies by Anonymous Coward · · Score: 0

      Every exploit they know about and don't report is one more exploit that the enemy can also use against us. By not reporting them, they are actually making us more vulnerable.

    3. Re:NSA is complicit in damaging US Companies by sshir · · Score: 1

      That timing of deployment of logging tools might explain why files are 3 year old. Newer files are dangerous because they will expose the mole or access method used.

    4. Re: NSA is complicit in damaging US Companies by tnk1 · · Score: 1

      We *might* be safer potentially knowing all of the holes, but if those other countries are not also releasing their zero day exploits then the NSA loses all advantages to be gained from zero day exploits.

      More to the point, given the fact that many vulnerabilities are not patched immediately, you're actually handing those exploits to the enemy at the same time you're handing them to everyone else for defensive purposes, and therefore you're helping the enemy more than you're helping to defend your people. The enemy will be able to act on your information release long before all vulnerable groups can set up defenses.

      But bear in mind, the NSA does release some vulnerabilities and tools for the reasons you have suggested, but they are always going to reserve some weapons to themselves for their use, and also because those exploits are more dangerous in the wild.

  8. So... by sshir · · Score: 4, Interesting

    NSA _and_ Russians had access to to all thus firewalled networks for 3 years... Should Cisco and it's customers start lawyering up?

    1. Re:So... by Anonymous Coward · · Score: 1

      if you leave your firewalls exposed to snmp read from anything then you should not be anywhere near anything security related.

    2. Re:So... by bill_mcgonigle · · Score: 2

      NSA _and_ Russians had access to to all thus firewalled networks for 3 years... Should Cisco and it's customers start lawyering up?

      Are you serious? The entire point of a government is that they can do things that are illegal for everybody else (ostensibly because they are morally indefensible actions) and never face any consequences for their actions. Everything else is just various arrangements of that maxim.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    3. Re:So... by Anonymous Coward · · Score: 0

      if you leave your firewalls exposed to snmp read from anything then you should not be anywhere near anything security related.

      How the hell do you keep an eye on a firewall without that though that isn't proprietary? Syslog sure as hell isn't enough and netflow is the wrong tool for the job. Pseudo webAPI scraping is a kludge.

      Or did you mean SNMP read from anywhere (which is dumb)?

  9. Well, it's convincing evidence by Anonymous Coward · · Score: 2, Insightful

    that the data files are indeed genuine. Cisco may have known about this for years, maybe not, who cares? Fact is, Cisco has confirmed that the exploits relating to them are genuine.

    This convinces me that Linus' rather blase' attitude towards security needs to be readdressed. Linux is the most widely-used Open Source OS for DIY and newcomer switch/router/firewall vendors. Linux can pretty much chown the market, if it can be reliably secured. OpenBSD is the next potential OS, but it's slower and the Book of PF simply doesn't go into the kind of details that Linux' Netfilter books do.

    1. Re: Well, it's convincing evidence by Anonymous Coward · · Score: 0

      Linux can pretty much chown the market, if it can be reliably secured. OpenBSD is the next potential OS, but it's slower

      If you make Linux "reliably secured" it will end up being way slower than OpenBSD.

    2. Re:Well, it's convincing evidence by Anonymous Coward · · Score: 0

      that the data files are indeed genuine. Cisco may have known about this for years, maybe not, who cares? Fact is, Cisco has confirmed that the exploits relating to them are genuine.

      .

      Cisco reacted rather quickly to the problem though. Fast enough that I'd believe they didn't know about it because if they had it would have been an uneventful patch to fix an exploit years ago. A company that can produce a patch for an exploit isn't going to hold off for years "just because".

  10. No security through obscurity: We need source code by chris2net23 · · Score: 4, Insightful

    I can't begin to take people seriously who talk about security if they don't get the basic gist that in order to build a secure system you must release the complete set of corresponding source code. Security is not something you can just bolt on after the fact. You don't get security simply by releasing the code. But without it you can't design a secure system. This is why all Intel and AMD systems are fundamentally flawed. We don't have the complete set of source code to critical secondary processors which have complete access to everything else. And what does the code on these secondary processors do? They include a lot of bloat including remote control functionality. It's not a secret. It's a back door in plane sight. They make it really easy to write off the back door as a feature, but it's clearly not to anybody who has even a remote understanding of the dangers here. You can't disable it. You can't design a system without it. You're simply screwed if the a high legal intelligence agency wants access to your computer and they haven't got some other means of obtaining said monitoring. It's not something that is going to be used lightly- because they it would become apparent. No. They'll utilize other tools for mass-spying. But for those that actually utilize GPG and similar it's a serious security threat.

  11. Layoff by Anonymous Coward · · Score: 0

    Well,

    I hope the guys patching this stuff don't get laid off soon.

  12. Auction? by sshir · · Score: 2

    Does anybody know what's going on with that auction? Because it seems now that those crazy hackers do have some serious goods on them...

    1. Re:Auction? by Anonymous Coward · · Score: 0

      The drone has been dispatched.

    2. Re:Auction? by BoRegardless · · Score: 3, Funny

      Is this the "ONLY" bacon exploit those hackers have, or do they keep the juicy bacon hidden from the 'Criscos' of the world.

    3. Re:Auction? by Anonymous Coward · · Score: 0

      Auction is a joke. Bitcoin is super traceable. They have no expectation of getting paid. They whole thing is a ruse.

    4. Re:Auction? by Anonymous Coward · · Score: 0

      they release bits and pieces sporadically over time to keep themselves in the news past their warhol-appointed time, and to make themselves appear to be more than just a one-hit wonder.

    5. Re:Auction? by AmiMoJo · · Score: 3, Insightful

      The auction is just to humiliate the US and the NSA. Looking at the file dates it seems likely this data was extracted back in 2013 and presumably the exploits have been in use since then. For political reasons they have decided to go public now.

      The auction is just to give a bit of cover and extra embarrassment that common criminals in it for the money, rather than another nation state, were able to hack the NSA.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    6. Re:Auction? by Anonymous Coward · · Score: 0

      Bitcoin is super traceable.

      Except you know, when anyone is challenged to actually trace stolen coins, or use it to catch drug dealers. Bitcoin will always be theoretically traceable to people who don't understand the theory behind coin mixing.

    7. Re:Auction? by Anonymous Coward · · Score: 0

      Why do you think that the idea of no non-state sponsored hacker(s) have the ability to do this? Even drug cartels have been known to infest government, including FSB, systems.

      The cold war is long over. The rise of individuals as being a massive force in the IT world has been going for just as long.

  13. Re:No security through obscurity: We need source c by jwymanm · · Score: 1

    If we ever see large secure open systems it'll be by the time AI has developed them so the source code itself will not be even necessary unless you want to trust human audits of possibly constantly changing code. There's no way also to prove once something ships that the hardware doesn't have some embedded self modifying code forced by gov agencies on the company or random UPS guy delivering your package. I'm not arguing against open systems I am just stating pretty much where there is a will there is a way. You need to take away the will of government to hack its own people. Figuratively and literally heh.

  14. Re:No security through obscurity: We need source c by Anonymous Coward · · Score: 0

    "Large secure open systems" - OpenBSD?

  15. Extra Bacon! by Anonymous Coward · · Score: 0

    Not just Bacon but EXTRA BACON!!!!!

  16. Re:No security through obscurity: We need source c by Anonymous Coward · · Score: 0

    Just an OS on a server. What about the rest right down to l3 switches, SAN, enterprise management software, and unified gateway?

  17. WELL FBI I READ SUMMARY TO HERE by Anonymous Coward · · Score: 0

    >the multibillion dollar tech firm Cisco

    FBI don't know how stupid that sounds. Imagine if you just had said..

    The multibillion dollar super duper fantastic one and only world renowned infamous back from the bahamas CISCO doot doot.

    It is just Cisco. Stop lying cunts. As for the content and where it was going.. if the NSA publish any "tools".. hosts file that shit.

    Ed Snowden is right.

  18. A little basic network security is gonna help here by jordancrombie1629 · · Score: 1

    First this assumes (for the ASA one at least) you are exposing SNMP on some interface reachable by *badGuys". If you are dumb enough to expose SNMP (even > v2 ) over a raw/public side interface, you are a moron. Typically one would expose SNMP or even SSH for control/monitoring only on your control plane. If bad guys are routing into your control network (why are you allowing this to be a routable network anyways?) you have a bigger problem. Also, you need to know the community string. If you're not rolling them every once and a while, and on add/remove of people into your control network security zone, again...you are begging for this. Lastly...and its been a while, but if I remember by SNMP on the ASA, you actually have to specify host allowed, not just exposed network interface, so now to make this work you are working from an owned box that has been granted SNMP access. I mean it sucks that this was in the wild for so long, but it isnt like its a real back door...like some deep daemon down in the stack that only accepts rlogin traffic from www.badguy.com . At least if they want in, and you are doing your job they will need to peel back a couple of your layers

  19. Thanks nsa by Anonymous Coward · · Score: 0

    For leaving the American public vulnerable to this for years. Top notch work.

    Faggots.

  20. Re:A little basic network security is gonna help h by BlackSabbath · · Score: 1

    SNMP doesn't have to be exposed on a public interface just an internal one, perhaps less secured, that the black hats have already compromised.

  21. Haiku version by Anonymous Coward · · Score: 0

    Auction is a joke.
    Bitcoin is so traceable.
    The whole thing's a ruse.

  22. I'm unclear why this is considered 0 day by breagerey · · Score: 4, Informative

    The exploit is specific to ASA software versions 8.0 - 8.4
    8.5 was released in March of 2012.
    The current version of ASA software is 9.6
    http://www.cisco.com/c/en/us/t...

    Why would anybody still be running 8.0 - 8.4 ??

    1. Re: I'm unclear why this is considered 0 day by bsDaemon · · Score: 3, Insightful

      Because their network is working, they don't need new features and they either don't have time, care or requirements to check security notes when they are released? "If it isn't broken, don't fix it" can be a powerful drug.

    2. Re:I'm unclear why this is considered 0 day by Anonymous Coward · · Score: 0

      Because it was kept in the dark for three years at least. There is a CVE that links to extrabacon, but it wasn't something they believed lead to execution.

    3. Re: I'm unclear why this is considered 0 day by Anonymous Coward · · Score: 0

      Also, 8.3+ significantly changed the NAT model for the ASA and a lot of customers are loathe to upgrade because there's a fair amount of work involved to re-doing their NAT config.

    4. Re:I'm unclear why this is considered 0 day by Anonymous Coward · · Score: 0

      One word:

      Smartnet

    5. Re:I'm unclear why this is considered 0 day by Anonymous Coward · · Score: 1

      Posting anonymous, for obvious reasons. Up until recently, we ran an ASA with version 8.2, because it handled a very important VPN function with high-ranking users. In 8.3 (fuzzy memory, someone back me up?), the syntax for NATs and a bunch of other commands changed drastically, and we didn't have the manpower to change it over to the new syntax, test it, and verify correctness. We finally got SmartNet on it and got Cisco on the phone to help change it over when a new admin pointed out all of the recently-revealed vulnerabilities of the pre-9.x train. Sometimes there is not the skill/time/manpower to migrate off of an affected version, especially when the syntax changes like it did in this instance.

    6. Re: I'm unclear why this is considered 0 day by t0rkm3 · · Score: 2

      Huh?

      I've upgraded a metric shit ton of ASA's (~1500) from pre-8.3 to post 8.3 way back in the day, and I am fairly certain that only two failed to correctly migrate their NATs.

    7. Re:I'm unclear why this is considered 0 day by AmiMoJo · · Score: 1

      It's a taster of what they have, older but still previously unknown (hence the 0-day, it's been known publicly about for zero days) vulnerabilities that they give away for free to illustrate what the winner of the auction will get. Unless the auction is a scam I'd expect it to include exploits for more recent versions.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    8. Re:I'm unclear why this is considered 0 day by mjwx · · Score: 1

      Why would anybody still be running 8.0 - 8.4 ??

      The Cisco ASA, especially at the lower end is designed for small to medium businesses. A metric shitload of them will be using them as set and forget devices, only updating them when they have to. If they've never had an serious issue with them, they'd still be running older firmware March 2012 is not that log ago. It would have been installed later than that considering that stock in boxes wont have been updated in March 2012.

      Sure most businesses would have updated, but dont kid yourself that no-one is running 4 year old firmware and is completely unaware of the problem with that.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    9. Re:I'm unclear why this is considered 0 day by blunttrauma · · Score: 1

      Reading the Cisco advisory, this honestly doesn't seem like a huge problem. In addition to needing SNMP connectivity to the ASA (which in any competent installation would be blocked from Internet) you also need the SNMP Community String.

      Here is the advisory: https://tools.cisco.com/securi...

      Am I missing something?

    10. Re: I'm unclear why this is considered 0 day by The-Ixian · · Score: 1

      "If it isn't broken, don't fix it" can be a powerful drug.

      I am addicted to the "If it ain't broke, fix it till it is" drug, personally...

      --
      My eyes reflect the stars and a smile lights up my face.
    11. Re:I'm unclear why this is considered 0 day by Anonymous Coward · · Score: 0

      Same AC, just posting a clarification based on some other comments I saw. The admin tried to do the automated upgrade from 8.2 to 8.3, but the config was just unusual enough that it turned out to be one of the relatively rare situations where the automated conversion didn't quite get it. We had VPN users who would connect in and video chat with each other over the VPN. IIRC, at the end of the day the one crucial command that didn't get put in automatically after the config was "same-security-traffic permit intra-interface".

    12. Re: I'm unclear why this is considered 0 day by Anonymous Coward · · Score: 0

      For a lot of people, the upgrade made a mess of ACLs, NAT rules, and objects.

    13. Re:I'm unclear why this is considered 0 day by Anonymous Coward · · Score: 0

      Wrong. The advisory clearly states:

      "All Cisco ASA releases are affected."

      Why would you not read the advisory?

    14. Re:I'm unclear why this is considered 0 day by Cramer · · Score: 1

      Because of the specific device they have (5505 can't run 9.6, for example.) Or because their "certified configuration" requires a specific version.

      Also, as others have mentioned (and will CONTINUE to mention), 8.3+ significantly fucked up the NAT configuration language. I will switch vendors before I use that fucked up shit.

    15. Re: I'm unclear why this is considered 0 day by Cramer · · Score: 1

      Count yourself one of the lucky few. More complex firewall configurations are orders of magnitude more likely to get completely screwed. I know several enterprises that dumped Cisco over this bullshit.

    16. Re:I'm unclear why this is considered 0 day by Anonymous Coward · · Score: 0

      Yes, NAT changed drastically in 8.3+.

      One of the other big stumbling blocks was the fact that for the newer IOS versions, you were required to have additional ram/flash installed, as the original ASA production lines came with significantly less (particularly the 5505 through 5540 models...http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/product_bulletin_c25-586414.html).

      As such, many customers did not make the switch to 8.3+ or 9.x, so much so, that despite the fact that Cisco stopped patching 8.2 back in Oct-2015 (as per their EoL roadmap for that version...http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eos-eol-notice-c51-731651.html), they did in fact get pressured into doing an 8.2 release back In Feb-2016 (8.2.5(59)...http://www.cisco.com/web/software/280775065/45357/ASA-825-Interim-Release-Notes.html), for the IKE vulnerabilities that went public at the time (Cisco bug IDs CSCux29978 and CSCux42019).

      The very fact they back-pedaled on their EoL for that version, due to remaining customer use volume, should speak clearly as to how many people were still on pre 8.3+/9.x codebases in Q1-2016.

  23. Re:No security through obscurity: We need source c by Anonymous Coward · · Score: 0

    You first and foremost need to source code of your "voting machines". Otherwise you're screwed anyway (in the long run, not necessarily in the next elections).

  24. That's not what it means by drinkypoo · · Score: 1

    ExtraBacon was a zero-day exploit, Cisco confirmed. That means it was unknown to Cisco or its customers, leaving them open to attack by anyone who possessed the right tools."

    No, that's not what it means. It means that they claim that it was unknown to them. Cisco has demonstrated that they cannot be trusted by inserting obviously intentional back doors. Forever after now we can never safely assume that a security vulnerability in a Cisco product was unintentional.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  25. they did NOT patch it by Anonymous Coward · · Score: 0

    "Journalists" need to READ before spouting their shitty blogspam. "
    Cisco has not released software updates that address this vulnerability. There are workarounds that address this vulnerability."

  26. Who does Cisco think they're fooling? by Anonymous Coward · · Score: 0

    CISCO is in bed with US government. Who the fuck cares what they say they're patching?

  27. Disagree by Anonymous Coward · · Score: 0

    Any such tools are protected by classification marking. Despite the Hollywood notoriety, the CIA and especially the NSA (as it is technically a DoD agency unlike the CIA) still have to put up with the same red tape and budgetary politics as the rest of the US Government agencies--anyone who tells you otherwise is either a liar or is in a black group with a guardian angle SES / Political Appointee (i.e. "Secretary" of something) that is in good with their Congressional Committee. These groups cannot be the size of the NSA and get away with this, as the budget is too huge to hide from the rest of Congress outright (see also, the recent revealing of SCO in the DoD). I will also mention none of the people responsible for these tools are a Clinton [/rimshot].

    Thus, I don't think they can reveal this themselves, nor would they. I would agree with the ex-NSA people in the news who have said there are a lot of people in Aberdeen who are Shitting Bricks, since the "old stuff" is only what has been released for free (not the whole thing). It makes a lot of sense to release the least valuable assets that still prove validity and keep the more lucrative stuff as the things you want to sell. If the least valuable stuff is from 2013 and contains zero day exploits....yikes.

  28. Re:No security through obscurity: We need source c by Anonymous Coward · · Score: 0

    I think it's naive of you to think that source code for hardware will do you any good against malicious vendors.

    They can give you false source code and you won't be able to verify it if your life depended on it.

  29. Claims not confirmed. by Anonymous Coward · · Score: 0

    "ExtraBacon was a zero-day exploit, Cisco confirmed. That means it was unknown to Cisco or its customers..."

    Rather

    "ExtraBacon was a zero-day exploit, Cisco claimed. That means it was unknown to Cisco or its customers..."

    Fixed that for you.

  30. Not a Haiku. by Anonymous Coward · · Score: 0

    No wireless

    Less space than a nomad

    lame

  31. Re:No security through obscurity: We need source c by WallyL · · Score: 1

    It's a back door in plane sight.

    So they should be able to see it from a bird's-eye view, right?

  32. News? by sshir · · Score: 2

    Interesting note: There are no frontpage articles about NSA hack among major American news outlets. It is/was on BBC, Guardian, etc. But not on CNN, WSJ, NYtimes...

    Hmmm....

  33. NSA hack confirmed? by Anonymous Coward · · Score: 0

    So basically, I read this as confirming the NSA hack. Because before I was like meh, anyone can say they are selling anything and be lying.

  34. Re:Meanwhile by Anonymous Coward · · Score: 0

    Why did this get -1, has anyone checked?

  35. Re:Meanwhile by Anonymous Coward · · Score: 0

    https://linux.slashdot.org/story/15/09/07/1311247/debian-working-on-reproducible-builds-to-make-binaries-trustable

    I assume from the -1 that must mean problem solved! And only a year later, great job guys.